Pharmaceutical Regulatory and Compliance Congress and Best Practices Forum Advanced Compliance Strategies: Conducting an Enterprise-wide Risk Assessment Brian Riewerts Senior Manager Global Pharmaceuticals and Health - PowerPoint PPT Presentation

View by Category
About This Presentation
Title:

Pharmaceutical Regulatory and Compliance Congress and Best Practices Forum Advanced Compliance Strategies: Conducting an Enterprise-wide Risk Assessment Brian Riewerts Senior Manager Global Pharmaceuticals and Health

Description:

Level of Risk (LR) = Consequence x Likelihood. Statistical analysis and calculation ... Can become out of date in changing environments ... – PowerPoint PPT presentation

Number of Views:1660
Avg rating:3.0/5.0
Slides: 30
Provided by: karenf150
Learn more at: http://www.ehcca.com
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Pharmaceutical Regulatory and Compliance Congress and Best Practices Forum Advanced Compliance Strategies: Conducting an Enterprise-wide Risk Assessment Brian Riewerts Senior Manager Global Pharmaceuticals and Health


1
Pharmaceutical Regulatory and Compliance Congress
and Best Practices Forum Advanced Compliance
Strategies Conducting an Enterprise-wide Risk
AssessmentBrian RiewertsSenior ManagerGlobal
Pharmaceuticals and Health SciencesPricewaterhous
eCoopersNovember, 2003
2
The Market Continuum - How do you view risk?
Evolving Marketplace Drivers
  • New laws, SEC and stock exchange rules, investor
    pressure, media scrutiny and public expectations
    mandate substantial changes in
  • corporate governance
  • business ethics
  • compliance management
  • transparency and disclosure requirements
  • Aggressive Congressional view of recent failures
  • Aggressive enforcement attitude and increased
    whistleblower complaints
  • Government budgets for enforcement and monitoring
    increasing
  • Emerging governance standards (e.g. Global
    Reporting Initiative and Sustainability
    Reporting, Open Compliance Ethics Group)
  • General Counsel identified compliance as their 1
    priority in the coming years
  • More complex business environments
  • Need to drive more efficient, better controlled
    business processes

3
The Market Continuum - How do you view risk?
Evolving Marketplace Definitions and Trends
  • In many organizations, risks are separately
    managed as part of the functional
    responsibilities of disparate departments, such
    as insurance, finance, legal and human resources.
  • Commonly, individual business units within an
    organization tend to vary in their appetite and
    ability to bear risk successfully, creating
    unique management challenges
  • Often there is no mechanism to integrate the
    information on various risks or their cumulative
    or interactive impact on an organization
  • Also, some organizations tend to focus on
    containing hazard or financial risks, giving less
    consideration to general risks posed by rapidly
    changing business environment or the risk /
    reward balance associated with its strategies.
  • Clearly, risks presented on multiple fronts
    demand coordinated, enterprise-wide responses.

4
The Market Continuum - How do you view risk?
Evolving Marketplace Definitions and Trends
  • An EWRM framework provides organizations with a
    process for identifying and communicating risk,
    the ability to assess the impact of risks and
    determine the most effective approach to risk
    management, as well as an ability to monitor
    compliance with the established risk management
    program.
  • Benefits include
  • Enhanced competency for dynamic identification,
    assessment and management of risk, focusing
    management's attention on key issues and enabling
    more effective decision-making
  • Early warning systems
  • Mitigated impact of risk issues on the business,
    both proactively and in response to risk events
  • Prevention, detection and resolution of improper
    behavior
  • Improved compliance effectiveness across the
    organization
  • Increased efficiency and reduced costs associated
    with an integrated risk management approach

5
Risks in the Pharmaceutical Value Chain
  • There are common risks that must be addressed to
    realize the benefit of any pharmaceutical
    industry business initiative. These risks are
    often not considered or not addressed in a
    consistent and coordinated manner.

Sales, Marketing Distribution
Research Development
Supply Chain
Clinical Trials
Procurement
Sales Order Processing
Types of Initiatives
FDA Filings
Supply Chain Management
Customer Relationship Management
Data Warehousing
Manufacturing Validation
Direct to Consumer Advertising
Strategic
Common Risks
Technology
Operational
Commercial
Legal
Reputational
Financial
6
A Methodology for Enterprise-wide Risk Management
  • Though risk thinking can be viewed as management
    common sense, it is not often exhibited as
    common management practice. Therefore, a
    framework and methodology are useful in bridging
    the gap and creating real management action
    toward managing Enterprise-wide Risk in the
    business.
  • Objectives - Risks - Control - Alignment (ORCA)
    methodology creates a language for common
    understanding of risk

7
Transforming Common Sense into Common Practice
  • Articulate organizational OBJECTIVES
  • Assess RISKS across the entire spectrum
  • Build in balanced CONTROLS to manage
    organizational risks
  • Ensure ALIGNMENT of objectives, risks and
    controls across the enterprise

8
Assess Risks
  • What could keep the company from achieving its
    objectives?
  • Systems fail to perform to specification
  • Business interruptions
  • Distribution channels are insufficient
  • Lack of central coordination to minimize
    operating costs
  • Unauthorized access to sensitive information

Hazard
Uncertainty/Variance
Opportunity
  • Competitive advantage
  • Market innovations
  • Strategic flexibility
  • Regulatory
  • Ethics violations
  • Fraud
  • Forecasting/Budgeting
  • Performance against goals
  • Efficiency

9
Assess Risks
  • OBJECTIVE OF RISK ASSESSMENT IS TO
  • Separate minor acceptable risks from major risks
  • Provide data to assist in evaluation and
    consideration of risk response
  • NEED TO CONSIDER
  • Sources of risk
  • Consequences - worst case or likely case?
  • Likelihood of the consequence

Hazard
Uncertainty/Variance
Opportunity
  • Competitive advantage
  • Market innovations
  • Strategic flexibility
  • Regulatory
  • Ethics violations
  • Fraud
  • Forecasting/Budgeting
  • Performance against goals
  • Efficiency

10
The Market Continuum - How do you view risk?
PwC Governance, Risk and Compliance Model
11
The Market Continuum - How do you view risk?
Risk Assessment Types
  • The High-Level Evaluator Diagnostic provides
    organizations with a high-level assessment of key
    risk areas that will result in the following
    benefits
  • Identification of preliminary portfolio of risks
    across the organization
  • Senior Management focus on key areas of exposure
  • Baseline of risks that can subsequently be
    validated and addressed by management
  • The Drill-Down provides a more detailed
    assessment of the organization's internal
    control and risk management activities.
    Benefits include
  • Views of various functional areas and staff
    levels of the organization on current risk
    management practices relative to best practice
  • Detailed assessment of risk management strong
    points and opportunities for improvement
  • Action plans for improvement of risk management
    practices and integration across the organization

12
Analyze Business Processes Along Two Dimensions
Risk
"Soft Controls"
"Hard Controls"
Business Process
People Culture
Objective, Risk Control Alignment
Control Survey
Define Objectives
Control Environment Risk Assessment Control
Activities Information Communication Monito
ring
Action Planning/ Accountabilities
Assess Risks
Analyze Controls
13
Performing a Risk Assessment
Enterprise-Wide Risk Assessment
Step
1
2
3
4
5
Analyze Validate Results
Shelf Data Review
Conduct Surveys Interviews
Project Launch
Reporting
14
Performing a Risk Assessment
Enterprise-Wide Risk Assessment
Step
1
2
3
4
5
Analyze Validate Results
Conduct Interviews
Shelf Data Review
Reporting
Project Launch
  • Step 1 Project launch
  • Initial team work-streams
  • Validate project objectives, scope and timing
    develop project check points
  • Identify and gain consensus of major risk areas
  • Based on risk areas identified, select business
    lines and key point people who will be
    responsible and accountable for their respective
    areas
  • Validate selection with senior management
  • Communicate nature of project and expectations to
    key point people
  • Develop and gain consensus on data collection
    template that will be utilized to capture key
    risk and control information, including how to
    determine and document the level of risk for each
    area, activity, function, etc.

15
Consequences and Likelihood
Level of Risk (LR) Consequence x Likelihood
  • Statistical analysis and calculation
  • Subjective estimates - confidence level on
    estimates

16
Consequences and Likelihood
  • SOURCES OF INFORMATION FOR CONSEQUENCE AND
    LIKELIHOOD
  • Past record
  • Industry practice and experience
  • Relevant published literature
  • Test marketing and market research
  • Experiments and pilot projects
  • Economic or other models
  • Specialist and expert judgement

17
Consequences and Likelihood
Typical parameters to rate levels of risk in
terms of their likelihood of occurrence and
impact on objectives can be represented as
18
Performing a Risk Assessment
Enterprise-Wide Risk Assessment
Step
1
2
3
4
5
Analyze Validate Results
Conduct Interviews
Shelf Data Review
Reporting
Project Launch
  • Step 1 Project launch
  • Train key point people to help identify
  • Key data sources that should be requested and
    reviewed such as policies, procedures, audit
    reports, etc.
  • Personnel who should be considered for interviews
    and detailed analysis
  • Relevant control mechanisms that should be
    analyzed
  • Appropriate level of detail for each area
  • Mobilize resources for scheduling and conducting
    interviews (Interviews will be conducted by key
    point people
  • Solicit senior management feedback on the
    process, risks targeted, information to be
    collected, depth of analysis and data collection
    tool

19
Enterprise-Wide Risk Assessment
Step
1
2
3
4
5
Conduct Surveys/ Interviews
Analyze Validate Results
Shelf Data Review
Reporting
Project Launch
  • List of functional areas considered in scope
    included
  • Sales and Marketing
  • Legal/Government Affairs
  • Research and Development
  • Manufacturing
  • Regulatory Affairs and Quality Assurance
  • Financial Reporting
  • Treasury
  • HR
  • IT
  • Environmental Health and Safety
  • International

20
Enterprise-Wide Risk Assessment
Step
1
2
3
4
5
Conduct Surveys/ Interviews
Analyze Validate Results
Shelf Data Review
Reporting
Project Launch
  • Step 2 Conduct a review of data sources to
    strengthen the understanding of control
    environment and business activities
  • Key point people collect data sources from each
    line of business and area in scope.
  • Key point people to review shelf data and
    evaluate
  • Organizational structure and reporting lines
  • Policies and procedures
  • Existing controls and audit mechanisms
  • Management reports
  • Other relevant materials

Goal is to use shelf data to tailor surveys
and interview guides
21
Enterprise-Wide Risk Assessment
Step
1
2
3
4
5
Conduct Surveys/ Interviews
Analyze Validate Results
Shelf Data Review
Reporting
Project Launch
Checklists/Questionnaires
Risk and Control Narratives
Group Facilitation Sessions
  • Strengths
  • Inexpensive way of gaining broad-based input
  • Results can be summarized because the data is in
    a consistent format
  • Reinforces understanding of key policies and
    controls
  • Weaknesses
  • Questions may not be fully understood
  • Quality of results may be affected by response
    rate, and by time and attention given by
    respondent
  • Can be time consuming to distribute, collate and
    summarize
  • Strengths
  • More precise descriptions of risks and controls
    than checklists
  • Can be customized to the businesses
  • Provide an easy to follow record of judgments
    made
  • Weaknesses
  • Can be time consuming to develop
  • Can become out of date in changing environments
  • More difficult than checklists to aggregate and
    summarize
  • Strengths
  • Encourage development of group consensus
  • Establish buy-in and commitment to proposed
    actions
  • Technology provides for sharing of ideas with
    anonymity
  • Can be effective in addressing soft controls
  • Weaknesses
  • Quality of results often dependent on skills of
    facilitator
  • Time consuming to organize and conduct
  • Technology adds to expense and complexity

22
Enterprise-Wide Risk Assessment
Step
1
2
3
4
5
Conduct Surveys/ Interviews
Analyze Validate Results
Shelf Data Review
Reporting
Project Launch
  • Step 3 Conduct management interviews
  • Purpose of the interviews is to understand
    managements views on
  • Identified risks, related control objectives and
    activities
  • Existing risk management practices
  • Any gaps that may exist
  • Mitigation plans
  • Steps in conducting interviews
  • Introduction and Overview of the Risk Management
    Initiative
  • Overview of Area of Responsibility
  • Goals, Expectations and Accountability
  • Risks and Challenges
  • Risk Prioritization
  • Evaluation of the effectiveness of current risk
    management efforts
  • Areas of Focus and Improvement

23
Enterprise-Wide Risk Assessment
Step
1
2
3
4
5
Conduct/ Surveys Interviews
Analyze Validate Results
Shelf Data Review
Reporting
Project Launch
  • Step 3 Conduct management interviews
  • Based on results of interviews, key point people
    to perform process walk-throughs to obtain a
    more in-depth understanding of the process and
    controls mechanisms
  • Project team to debrief on all interviews

24
Enterprise-Wide Risk Assessment
Step
1
2
3
4
5
Conduct/ Surveys Interviews
Analyze Validate Results
Shelf Data Review
Reporting
Project Launch
  • Step 3 Conduct Surveys
  • Conduct Risk Culture Survey (RCS)
  • Identify and coordinate with project sponsor
    about how to stratify the company for the survey
    Identify respondents
  • Sample selection of Board Members, Executives,
    Senior Managers, Managers, and other personnel
  • Determine which questions will be included
  • Prepare communication for the project sponsor to
    send to respondents providing information about
    the RCS and ensure communication is sent

25
(No Transcript)
26
Enterprise-Wide Risk Assessment
Step
1
2
3
4
5
Conduct Surveys/ Interviews
Analyze Validate Results
Shelf Data Review
Reporting
Project Launch
  • Step 4 Analyze and validate results from data
    review, collection and interviews
  • Analyze the results of data review and interviews
  • Evaluate the magnitude of risks based on the
    analysis
  • Evaluate the effectiveness and efficiency of
    control mechanisms in place
  • Document the results in the data collection tool

27
Enterprise-Wide Risk Assessment
Step
1
2
3
4
Conduct Surveys/ Interviews
Analyze Validate Results
Shelf Data Review
Project Launch
Reporting
  • Recommendations
  • Produce project report, capture risk ratings and
    supporting discussion
  • Design EWRM framework to meet the organizations
    needs
  • Implementation
  • Determine objectives and scope of implementation
  • Determine approach (e.g. pilot)
  • Develop project plan
  • Develop monitoring plan
  • Implement the plan

28
KEY POINTS TO REMEMBER
Analysis of Results Perform quality review of
information collected Validate
findings Identify strong points and areas for
improvement, highlighting risk exposure
Interviews/Surveys Determine involved
parties Define areas of focus Debrief on risk
ratings and observations Consolidate findings in
risk assessment tool
Define Project Parameters Establish project
objectives, scope and approach Present risk
assessment tool and tailor as necessary Determi
ne risk definition, categories, rating scales and
other methodology elements
Shelf Data Review Review selected shelf
data Define baseline of risk areas Enhance
interview template and surveys based on
evaluation
29
pwc
About PowerShow.com